Java Web Security Antipatterns
|
|
- Oswald Richardson
- 8 years ago
- Views:
Transcription
1 Java Web Security Antipatterns JavaOne 2015 Dominik Schadow bridgingit
2 Failed with nothing but the best intentions
3 Architect Implement Maintain
4 Architect Skipping threat modeling
5 Software that is secure by design Know the web application Know all external entities Know all data flows Identify all risks
6 Threat model
7 Avoid design flaws
8
9
10 Good engineering involves thinking about how things can be made to work; the security mindset involves thinking about how things can be made to fail. It involves thinking like an attacker [ ]. Bruce Schneier
11 Implement User passwords stored as plaintext encrypted trivially hashed
12
13 Passw0rd$ d281fdbe0555b913d1c29f99143a3ad7bc66cf83 2e2c68bc1e9187cc6919fcb8564f1483 AKNtqLC_DZM32Jk7pgF4FpRVapo6QFEdROpsflwHkw 2q6rfK2mev4fAQFlRXbH2DecJTYLvF3LMD
14 Passw0rd$ SHA1 d281fdbe0555b913d1c29f99143a3ad7bc66cf83 2e2c68bc1e9187cc6919fcb8564f1483 AKNtqLC_DZM32Jk7pgF4FpRVapo6QFEdROpsflwHkw 2q6rfK2mev4fAQFlRXbH2DecJTYLvF3LMD
15 Passw0rd$ SHA1 d281fdbe0555b913d1c29f99143a3ad7bc66cf83 MD5 2e2c68bc1e9187cc6919fcb8564f1483 AKNtqLC_DZM32Jk7pgF4FpRVapo6QFEdROpsflwHkw 2q6rfK2mev4fAQFlRXbH2DecJTYLvF3LMD
16 Passw0rd$ SHA1 d281fdbe0555b913d1c29f99143a3ad7bc66cf83 MD5 2e2c68bc1e9187cc6919fcb8564f1483 AKNtqLC_DZM32Jk7pgF4FpRVapo6QFEdROpsflwHkw 2q6rfK2mev4fAQFlRXbH2DecJTYLvF3LMD AES
17 Slow down brute force attacks
18 PBKDF2 Iterations against brute force attacks Available in plain Java
19 Demo
20 bcrypt Iterations against brute force attacks Integrated in Spring Security
21 public class WebSecurityConfig extends WebSecurityConfigurerAdapter public PasswordEncoder passwordencoder() { return new BCryptPasswordEncoder(10); } }
22 public class WebSecurityConfig extends WebSecurityConfigurerAdapter public PasswordEncoder passwordencoder() { return new BCryptPasswordEncoder(10); } }
23 public class WebSecurityConfig extends WebSecurityConfigurerAdapter public PasswordEncoder passwordencoder() { return new BCryptPasswordEncoder(10); } }
24 public class WebSecurityConfig extends WebSecurityConfigurerAdapter public PasswordEncoder passwordencoder() { return new BCryptPasswordEncoder(10); } }
25 scrypt Memory against brute force attacks Best protection against dictionary attacks
26 Increase # iterations with faster hardware
27 Set period of time to change passwords User logs in successfully Period of time expired Calculate new salt Set not changed passwords to null Calculate new hash User tries to log in Update hash & salt Force password reset process
28 Enforce length limit on password fields
29 <h:inputsecret id="password" maxlength="1024"> <f:validatelength minimum="10" maximum="1024"/> </h:inputsecret>
30 <h:inputsecret id="password" maxlength="1024"> <f:validatelength minimum="10" maximum="1024"/> </h:inputsecret>
31 private byte[] hash(pbekeyspec keyspec) { return secretkeyfactory.generatesecret (keyspec).getencoded(); }
32 private byte[] hash(pbekeyspec keyspec) { return secretkeyfactory.generatesecret (keyspec).getencoded(); }
33 Implement Changing password Changing address
34
35 Prevent unintended password change Cross-Site Request Forgery vulnerability Session id knowledge
36
37
38 Implement Disabling pasting passwords Delivering log-in form via HTTP
39 Disabling pasting into password fields Does not stop any attack Does not provide any more security Does frustrate users
40
41 HTTP log in page puts security in jeopardy
42 Link to dedicated HTTPS log in page
43 Force HTTPS for the whole page
44 @WebFilter(urlPatterns = {"/*"}) public class HSTS implements Filter { public void dofilter( ) { HttpServletResponse response = (HttpServletResponse) res; response.addheader( "Strict-Transport-Security", "max-age= "); chain.dofilter(req, response); } // }
45 @WebFilter(urlPatterns = {"/*"}) public class HSTS implements Filter { public void dofilter( ) { HttpServletResponse response = (HttpServletResponse) res; response.addheader( "Strict-Transport-Security", "max-age= "); chain.dofilter(req, response); } // }
46 @WebFilter(urlPatterns = {"/*"}) public class HSTS implements Filter { public void dofilter( ) { HttpServletResponse response = (HttpServletResponse) res; response.addheader( "Strict-Transport-Security", "max-age= "); chain.dofilter(req, response); } // }
47 @WebFilter(urlPatterns = {"/*"}) public class HSTS implements Filter { public void dofilter( ) { HttpServletResponse response = (HttpServletResponse) res; response.addheader( "Strict-Transport-Security", "max-age= "); chain.dofilter(req, response); } // }
48 @WebFilter(urlPatterns = {"/*"}) public class HSTS implements Filter { public void dofilter( ) { HttpServletResponse response = (HttpServletResponse) res; response.addheader( "Strict-Transport-Security", "max-age= "); chain.dofilter(req, response); } // }
49 HSTS stops any insecure communication Requires HTTPS connection No effect on HTTP connections All resources via HTTPS Includes scripts, images, Requires valid certificate No self-signed certificates any more
50 Implement Not logging security events
51 Logging forensics after an event
52 Log in and log out is a security event
53 OWASP Security Logging SECURITY_SUCCESS Successful security check (e.g. successful login) SECURITY_FAILURE Failed security check (e.g. failed login) SECURITY_AUDIT Record security events for audit (e.g. account edited)
54 Use an always active log level or separate log file
55 log.warn( SecurityMarkers.SECURITY_AUDIT, "User {} has edited his account, username);
56 log.warn( SecurityMarkers.SECURITY_AUDIT, "User {} has edited his account, username);
57 log.warn( SecurityMarkers.SECURITY_AUDIT, "User {} has edited his account, username);
58 Implement Skipping session configuration Keeping session id after log-in
59 <plugin> <groupid>org.apache.maven.plugins</groupid> <artifactid>maven-war-plugin</artifactid> <version>2.6</version> <configuration> <failonmissingwebxml> false </failonmissingwebxml> </configuration> </plugin>
60 <plugin> <groupid>org.apache.maven.plugins</groupid> <artifactid>maven-war-plugin</artifactid> <version>2.6</version> <configuration> <failonmissingwebxml> false </failonmissingwebxml> </configuration> </plugin>
61 web.xml is a rich source for security configuration
62 <web-app... version="3.1"> <session-config> <!-- idle timeout after session expires --> <session-timeout>30</session-timeout> <cookie-config> <!-- prevent session id script access --> <http-only>true</http-only> <!-- transfer cookie via https only --> <secure>true</secure> </cookie-config> <!-- session id in cookie, not URL --> <tracking-mode>cookie</tracking-mode> </session-config> </web-app>
63 <web-app... version="3.1"> <session-config> <!-- idle timeout after session expires --> <session-timeout>30</session-timeout> <cookie-config> <!-- prevent session id script access --> <http-only>true</http-only> <!-- transfer cookie via https only --> <secure>true</secure> </cookie-config> <!-- session id in cookie, not URL --> <tracking-mode>cookie</tracking-mode> </session-config> </web-app>
64 <web-app... version="3.1"> <session-config> <!-- idle timeout after session expires --> <session-timeout>30</session-timeout> <cookie-config> <!-- prevent session id script access --> <http-only>true</http-only> <!-- transfer cookie via https only --> <secure>true</secure> </cookie-config> <!-- session id in cookie, not URL --> <tracking-mode>cookie</tracking-mode> </session-config> </web-app>
65 <web-app... version="3.1"> <session-config> <!-- idle timeout after session expires --> <session-timeout>30</session-timeout> <cookie-config> <!-- prevent session id script access --> <http-only>true</http-only> <!-- transfer cookie via https only --> <secure>true</secure> </cookie-config> <!-- session id in cookie, not URL --> <tracking-mode>cookie</tracking-mode> </session-config> </web-app>
66 <web-app... version="3.1"> <session-config> <!-- idle timeout after session expires --> <session-timeout>30</session-timeout> <cookie-config> <!-- prevent session id script access --> <http-only>true</http-only> <!-- transfer cookie via https only --> <secure>true</secure> </cookie-config> <!-- session id in cookie, not URL --> <tracking-mode>cookie</tracking-mode> </session-config> </web-app>
67 User usually receives a session id when entering web application
68 4E01EF46D8446D1C 10CB5C08EDA69DD1
69 Session hijacking Attacker steals the session id
70 Session fixation Attacker dictates the session id
71 Have an always visible logout button
72 <form method="post"> <button type="submit">log out</button> </form>
73 <form method="post"> <button type="submit">log out</button> </form>
74 <form action="/logout" method="post"> <input type="hidden" name="${_csrf.parametername}" value="${_csrf.token}"/> <input type="submit" value="logout"/> </form>
75 <form action="/logout" method="post"> <input type="hidden" name="${_csrf.parametername}" value="${_csrf.token}"/> <input type="submit" value="logout"/> </form>
76 Limit session duration web.xml
77 Force HTTPS HSTS
78 Change session id after log in
79 @WebServlet public class Login extends HttpServlet { protected void dopost(httpservletrequest request, HttpServletResponse response) { //... request.changesessionid(); //... } }
80 @WebServlet public class Login extends HttpServlet { protected void dopost(httpservletrequest request, HttpServletResponse response) { //... request.changesessionid(); //... } }
81 @WebServlet public class Login extends HttpServlet { protected void dopost(httpservletrequest request, HttpServletResponse response) { //... request.changesessionid(); //... } }
82 Invalidate session after log out
83 @WebServlet public class Logout extends HttpServlet { protected void dopost(httpservletrequest request, HttpServletResponse response) { //... request.getsession().invalidate(); //... } }
84 @WebServlet public class Logout extends HttpServlet { protected void dopost(httpservletrequest request, HttpServletResponse response) { //... request.getsession().invalidate(); //... } }
85 Demo
86 Maintain Using outdated libraries
87 Frameworks and libraries decline
88
89
90 <reporting> <plugins><plugin> <groupid>org.owasp</groupid> <artifactid>dependency-check-maven</artifactid> <version>1.3.1</version> <reportsets> <reportset> <reports> <report>aggregate</report> </reports> </reportset> </reportsets> </plugin></plugins> </reporting>
91
92 Summary
93 Plan security with threat modeling Think (like an attacker) during implementation Keep 3rd party libraries up-to-date
94 Enjoy secure programming
95 Koenigstr Stuttgart Germany Blog blog.dominikschadow.de Demo Projects github.com/dschadow/javasecurity HTTP Strict Transport Security RFC tools.ietf.org/html/rfc6797 Microsoft Threat Modeling Tool threatmodeling.aspx Mozilla SeaSponge air.mozilla.org/mozilla-winter-of-securityseasponge-a-tool-for-easy-threat-modeling OWASP Dependency Check OWASP_Dependency_Check OWASP Security Logging OWASP_Security_Logging_Project Spring Security projects.spring.io/spring-security Pictures
Java-Web-Security Anti-Patterns
Java-Web-Security Anti-Patterns Entwicklertag 20.05.2015 Dominik Schadow bridgingit Failed with only the best intentions Design Implement Maintain Design Ignoring threat modeling defense in depth Threat
More informationReal World Java Web Security
Real World Java Web Security Java User Group Karlsruhe Dominik Schadow bridgingit Who thinks about architecture while coding? architecture before coding? Who thinks about security while coding? security
More informationSichere Webanwendungen mit Java
Sichere Webanwendungen mit Java Karlsruher IT- Sicherheitsinitiative 16.07.2015 Dominik Schadow bridgingit Patch fast Unsafe platform unsafe web application Now lets have a look at the developers OWASP
More informationSecurity starts in the head(er)
Security starts in the head(er) JavaOne 2014 Dominik Schadow bridgingit Policies are independent of framework and language response.addheader(! "Policy name",! "Policy value"! ); User agent must understand
More informationSichere Software- Entwicklung für Java Entwickler
Sichere Software- Entwicklung für Java Entwickler Dominik Schadow Senior Consultant Trivadis GmbH 05/09/2012 BASEL BERN LAUSANNE ZÜRICH DÜSSELDORF FRANKFURT A.M. FREIBURG I.BR. HAMBURG MÜNCHEN STUTTGART
More informationHow to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering
How to break in Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering Time Agenda Agenda Item 9:30 10:00 Introduction 10:00 10:45 Web Application Penetration
More informationUsing Foundstone CookieDigger to Analyze Web Session Management
Using Foundstone CookieDigger to Analyze Web Session Management Foundstone Professional Services May 2005 Web Session Management Managing web sessions has become a critical component of secure coding techniques.
More informationApplication Security. Petr Křemen. petr.kremen@fel.cvut.cz
Application Security Petr Křemen petr.kremen@fel.cvut.cz What is application security? Security is a set of measures that So, what can happen? taken from [7] first half of 2013 Let's focus on application
More informationWeb Application Report
Web Application Report This report includes important security information about your Web Application. Security Report This report was created by IBM Rational AppScan 8.5.0.1 11/14/2012 8:52:13 AM 11/14/2012
More informationCriteria for web application security check. Version 2015.1
Criteria for web application security check Version 2015.1 i Content Introduction... iii ISC- P- 001 ISC- P- 001.1 ISC- P- 001.2 ISC- P- 001.3 ISC- P- 001.4 ISC- P- 001.5 ISC- P- 001.6 ISC- P- 001.7 ISC-
More informationBASELINE SECURITY TEST PLAN FOR EDUCATIONAL WEB AND MOBILE APPLICATIONS
BASELINE SECURITY TEST PLAN FOR EDUCATIONAL WEB AND MOBILE APPLICATIONS Published by Tony Porterfield Feb 1, 2015. Overview The intent of this test plan is to evaluate a baseline set of data security practices
More informationWhere every interaction matters.
Where every interaction matters. Peer 1 Vigilant Web Application Firewall Powered by Alert Logic The Open Web Application Security Project (OWASP) Top Ten Web Security Risks and Countermeasures White Paper
More informationEnterprise Application Security Workshop Series
Enterprise Application Security Workshop Series Phone 877-697-2434 fax 877-697-2434 www.thesagegrp.com Defending JAVA Applications (3 Days) In The Sage Group s Defending JAVA Applications workshop, participants
More informationSecure development and the SDLC. Presented By Jerry Hoff @jerryhoff
Secure development and the SDLC Presented By Jerry Hoff @jerryhoff Agenda Part 1: The Big Picture Part 2: Web Attacks Part 3: Secure Development Part 4: Organizational Defense Part 1: The Big Picture Non
More informationWEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY
WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY www.alliancetechpartners.com WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY More than 70% of all websites have vulnerabilities
More informationSECURITY DOCUMENT. BetterTranslationTechnology
SECURITY DOCUMENT BetterTranslationTechnology XTM Security Document Documentation for XTM Version 6.2 Published by XTM International Ltd. Copyright XTM International Ltd. All rights reserved. No part of
More informationKenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data
Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V2.0, JULY 2015 Multiple Layers of Protection Overview Password Salted-Hash Thank you
More informationZed E-Commerce and WebCRM 7.5. Release Notes 11/29/2011
Zed E-Commerce and WebCRM 7.5 Release Notes 11/29/2011 PA-DSS 2.0 Validated What is PA-DSS? (Payment Application Data Security Standard) The global security standard created by the Payment Card Industry
More informationMONETA.Assistant API Reference
MONETA.Assistant API Reference Contents 2 Contents Abstract...3 Chapter 1: MONETA.Assistant Overview...4 Payment Processing Flow...4 Chapter 2: Quick Start... 6 Sandbox Overview... 6 Registering Demo Accounts...
More informationSession Management in Web Applications
Session Management in Web Applications Author: EUROSEC GmbH Chiffriertechnik & Sicherheit Tel: 06173 / 60850, www.eurosec.com EUROSEC GmbH Chiffriertechnik & Sicherheit, 2005 What is Web-based Session
More informationJVA-122. Secure Java Web Development
JVA-122. Secure Java Web Development Version 7.0 This comprehensive course shows experienced developers of Java EE applications how to secure those applications and to apply best practices with regard
More informationMagento Security and Vulnerabilities. Roman Stepanov
Magento Security and Vulnerabilities Roman Stepanov http://ice.eltrino.com/ Table of contents Introduction Open Web Application Security Project OWASP TOP 10 List Common issues in Magento A1 Injection
More informationPierce County IT Department GIS Division Xuejin Ruan Dan King
Pierce County IT Department GIS Division Xuejin Ruan Dan King Web Application Work Flow Main Topics Authentication Authorization Session Management * Concurrent Session Management * Session Timeout Single
More informationDetecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008
Detecting Web Application Vulnerabilities Using Open Source Means OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008 Kostas Papapanagiotou Committee Member OWASP Greek Chapter conpap@owasp.gr
More informationWeb Application Security Guidelines for Hosting Dynamic Websites on NIC Servers
Web Application Security Guidelines for Hosting Dynamic Websites on NIC Servers The Website can be developed under Windows or Linux Platform. Windows Development should be use: ASP, ASP.NET 1.1/ 2.0, and
More informationProtecting Web Applications and Users
Protecting Web Applications and Users Technical guidance for improving web application security through implementing web browser based mitigations. Defence Signals Directorate February 2012 Contents 1
More informationFileCloud Security FAQ
is currently used by many large organizations including banks, health care organizations, educational institutions and government agencies. Thousands of organizations rely on File- Cloud for their file
More informationThe Top Web Application Attacks: Are you vulnerable?
QM07 The Top Web Application Attacks: Are you vulnerable? John Burroughs, CISSP Sr Security Architect, Watchfire Solutions jburroughs@uk.ibm.com Agenda Current State of Web Application Security Understanding
More informationWeb application security
Web application security Sebastian Lopienski CERN Computer Security Team openlab and summer lectures 2010 (non-web question) Is this OK? int set_non_root_uid(int uid) { // making sure that uid is not 0
More informationAuthentication and Session Management. JIM MANICO Secure Coding Instructor www.manicode.com
Authentication and Session Management JIM MANICO Secure Coding Instructor www.manicode.com A little background dirt jim@manico.net @manicode OWASP Global Board Member Project manager of the OWASP Cheat
More informationWeb Application Vulnerability Testing with Nessus
The OWASP Foundation http://www.owasp.org Web Application Vulnerability Testing with Nessus Rïk A. Jones, CISSP rikjones@computer.org Rïk A. Jones Web developer since 1995 (16+ years) Involved with information
More informationWhat is Web Security? Motivation
brucker@inf.ethz.ch http://www.brucker.ch/ Information Security ETH Zürich Zürich, Switzerland Information Security Fundamentals March 23, 2004 The End Users View The Server Providers View What is Web
More informationKentico CMS security facts
Kentico CMS security facts ELSE 1 www.kentico.com Preface The document provides the reader an overview of how security is handled by Kentico CMS. It does not give a full list of all possibilities in the
More informationDISA's Application Security and Development STIG: How OWASP Can Help You. AppSec DC November 12, 2009. The OWASP Foundation http://www.owasp.
DISA's Application Security and Development STIG: How Can Help You AppSec DC November 12, 2009 Jason Li Senior Application Security Engineer jason.li@aspectsecurity.com The Foundation http://www.owasp.org
More informationCheck list for web developers
Check list for web developers Requirement Yes No Remarks 1. Input Validation 1.1) Have you done input validation for all the user inputs using white listing and/or sanitization? 1.2) Does the input validation
More informationApplication Security Policy
Purpose This document establishes the corporate policy and standards for ensuring that applications developed or purchased at LandStar Title Agency, Inc meet a minimum acceptable level of security. Policy
More informationLecture 11 Web Application Security (part 1)
Lecture 11 Web Application Security (part 1) Computer and Network Security 4th of January 2016 Computer Science and Engineering Department CSE Dep, ACS, UPB Lecture 11, Web Application Security (part 1)
More informationOWASP AND APPLICATION SECURITY
SECURING THE 3DEXPERIENCE PLATFORM OWASP AND APPLICATION SECURITY Milan Bruchter/Shutterstock.com WHITE PAPER EXECUTIVE SUMMARY As part of Dassault Systèmes efforts to counter threats of hacking, particularly
More informationWHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats
WHITE PAPER FortiWeb and the OWASP Top 10 PAGE 2 Introduction The Open Web Application Security project (OWASP) Top Ten provides a powerful awareness document for web application security. The OWASP Top
More informationWith so many web applications, universities have a huge attack surface often without the IT security budgets or influence to back it up.
1 2 Why do we care about web application security? With so many web applications, universities have a huge attack surface often without the IT security budgets or influence to back it up. We constantly
More informationCrashPlan Security SECURITY CONTEXT TECHNOLOGY
TECHNICAL SPECIFICATIONS CrashPlan Security CrashPlan is a continuous, multi-destination solution engineered to back up mission-critical data whenever and wherever it is created. Because mobile laptops
More informationWeb Application Security Assessment and Vulnerability Mitigation Tests
White paper BMC Remedy Action Request System 7.6.04 Web Application Security Assessment and Vulnerability Mitigation Tests January 2011 www.bmc.com Contacting BMC Software You can access the BMC Software
More information! Resident of Kauai, Hawaii
SECURE SDLC Jim Manico @manicode! OWASP Volunteer! Global OWASP Board Member! Manager of several OWASP secure coding projects! Security Instructor, Author! 17 years of web-based, databasedriven software
More informationOWASP Top Ten Tools and Tactics
OWASP Top Ten Tools and Tactics Russ McRee Copyright 2012 HolisticInfoSec.org SANSFIRE 2012 10 JULY Welcome Manager, Security Analytics for Microsoft Online Services Security & Compliance Writer (toolsmith),
More informationSecurity vulnerabilities in new web applications. Ing. Pavol Lupták, CISSP, CEH Lead Security Consultant
Security vulnerabilities in new web applications Ing. Pavol Lupták, CISSP, CEH Lead Security Consultant $whoami Introduction Pavol Lupták 10+ years of practical experience in security and seeking vulnerabilities
More informationWeb Security - Hardening estudy
Web Security - Hardening estudy Matthias Hecker, Andreas Schmidt, Philipp Promeuschel, Ivo Senner, Andre Rein, Bartosz Boron, Christian Ketter, Christian Thomas Weber Fachhochschule Giessen-Friedberg September
More informationSecure Coding in Node.js
Secure Coding in Node.js Advanced Edition Copyright 2015 nvisium LLC 590 Herndon Parkway Suite 120, Herndon VA 20170 571.353.7551 www.nvisium.com 1 Introduction Seth Law VP of Research & Development @
More informationData Breaches and Web Servers: The Giant Sucking Sound
Data Breaches and Web Servers: The Giant Sucking Sound Guy Helmer CTO, Palisade Systems, Inc. Lecturer, Iowa State University @ghelmer Session ID: DAS-204 Session Classification: Intermediate The Giant
More informationSecurity features of ZK Framework
1 Security features of ZK Framework This document provides a brief overview of security concerns related to JavaScript powered enterprise web application in general and how ZK built-in features secures
More informationTesting the OWASP Top 10 Security Issues
Testing the OWASP Top 10 Security Issues Andy Tinkham & Zach Bergman, Magenic Technologies Contact Us 1600 Utica Avenue South, Suite 800 St. Louis Park, MN 55416 1 (877)-277-1044 info@magenic.com Who Are
More informationSyncThru TM Web Admin Service Administrator Manual
SyncThru TM Web Admin Service Administrator Manual 2007 Samsung Electronics Co., Ltd. All rights reserved. This administrator's guide is provided for information purposes only. All information included
More informationA detailed walk through a CAS authentication
Welcome! First of all, what is CAS? Web single sign on Uses federated authentication, where all authentication is done by the CAS server, instead of individual application servers The implementation is
More informationManaging Data on the World Wide-Web
Managing Data on the World Wide-Web Sessions, Listeners, Filters, Shopping Cart Elad Kravi 1 Web Applications In the Java EE platform, web components provide the dynamic extension capabilities for a web
More informationWeb Application Guidelines
Web Application Guidelines Web applications have become one of the most important topics in the security field. This is for several reasons: It can be simple for anyone to create working code without security
More informationIs Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security
Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security Presented 2009-05-29 by David Strauss Thinking Securely Security is a process, not
More informationMembers of the UK cyber security forum. Soteria Health Check. A Cyber Security Health Check for SAP systems
Soteria Health Check A Cyber Security Health Check for SAP systems Soteria Cyber Security are staffed by SAP certified consultants. We are CISSP qualified, and members of the UK Cyber Security Forum. Security
More informationColumbia University Web Security Standards and Practices. Objective and Scope
Columbia University Web Security Standards and Practices Objective and Scope Effective Date: January 2011 This Web Security Standards and Practices document establishes a baseline of security related requirements
More informationCSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities
CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities Thomas Moyer Spring 2010 1 Web Applications What has changed with web applications? Traditional applications
More informationWeb Application Security. Srikumar Venugopal S2, Week 8, 2013
Web Application Security Srikumar Venugopal S2, Week 8, 2013 Before we start Acknowledgements This presentation contains material prepared by Halvard Skogsrud, Senior Software Engineer, Thoughtworks, Inc.
More informationChapter 7 Transport-Level Security
Cryptography and Network Security Chapter 7 Transport-Level Security Lectured by Nguyễn Đức Thái Outline Web Security Issues Security Socket Layer (SSL) Transport Layer Security (TLS) HTTPS Secure Shell
More informationEthical Hacking as a Professional Penetration Testing Technique
Ethical Hacking as a Professional Penetration Testing Technique Rochester ISSA Chapter Rochester OWASP Chapter - Durkee Consulting, Inc. info@rd1.net 2 Background Founder of Durkee Consulting since 1996
More informationelearning for Secure Application Development
elearning for Secure Application Development Curriculum Application Security Awareness Series 1-2 Secure Software Development Series 2-8 Secure Architectures and Threat Modeling Series 9 Application Security
More informationWEB APPLICATION SECURITY
WEB APPLICATION SECURITY February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part
More informationFrom the Intranet to Mobile. By Divya Mehra and Stian Thorgersen
ENTERPRISE SECURITY WITH KEYCLOAK From the Intranet to Mobile By Divya Mehra and Stian Thorgersen PROJECT TIMELINE AGENDA THE OLD WAY Securing monolithic web app relatively easy Username and password
More informationNETWORK SECURITY: How do servers store passwords?
NETWORK SECURITY: How do servers store passwords? Servers avoid storing the passwords in plaintext on their servers to avoid possible intruders to gain all their users passwords. A hash of each password
More informationMobile Application Security
Mobile Application Security Jack Mannino Anand Vemuri June 25, 2015 About Us Jack Mannino CEO at nvisium UI and UX development impaired Enjoys: Scala, Elixir Tolerates: Java Allergic To: Cats, Pollen,.NET
More informationFINAL DoIT 11.03.2015 - v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES
Purpose: The Department of Information Technology (DoIT) is committed to developing secure applications. DoIT s System Development Methodology (SDM) and Application Development requirements ensure that
More informationThe Security of MDM systems. Hack In Paris 2013 Sebastien Andrivet
The Security of MDM systems Hack In Paris 2013 Sebastien Andrivet Who am I? Sebastien Andrivet Switzerland (Geneva) Specialized in security Mobiles (ios, Android) Forensic Developer C++, x86 and ARM (Cyberfeminist
More informationCertified Secure Web Application Security Test Checklist
www.certifiedsecure.com info@certifiedsecure.com Tel.: +31 (0)70 310 13 40 Loire 128-A 2491 AJ The Hague The Netherlands Certified Secure Checklist About Certified Secure exists to encourage and fulfill
More informationSalesforce1 Mobile Security Guide
Salesforce1 Mobile Security Guide Version 1, 1 @salesforcedocs Last updated: December 8, 2015 Copyright 2000 2015 salesforce.com, inc. All rights reserved. Salesforce is a registered trademark of salesforce.com,
More informationTop Web Application Security Issues. Daniel Ramsbrock, CISSP, GSSP
Top Web Application Security Issues Daniel Ramsbrock, CISSP, GSSP daniel ramsbrock.com Presentation Overview Background and experience Financial services case study Common findings: Weak input validation
More informationPassing PCI Compliance How to Address the Application Security Mandates
Passing PCI Compliance How to Address the Application Security Mandates The Payment Card Industry Data Security Standards includes several requirements that mandate security at the application layer. These
More informationSitefinity Security and Best Practices
Sitefinity Security and Best Practices Table of Contents Overview The Ten Most Critical Web Application Security Risks Injection Cross-Site-Scripting (XSS) Broken Authentication and Session Management
More informationWeb Application Firewall on SonicWALL SRA
Web Application Firewall on SonicWALL SRA Document Scope This document describes how to configure and use the Web Application Firewall feature in SonicWALL SRA 6.0. This document contains the following
More informationSENSE Security overview 2014
SENSE Security overview 2014 Abstract... 3 Overview... 4 Installation... 6 Device Control... 7 Enrolment Process... 8 Authentication... 9 Network Protection... 12 Local Storage... 13 Conclusion... 15 2
More informationThick Client Application Security
Thick Client Application Security Arindam Mandal (arindam.mandal@paladion.net) (http://www.paladion.net) January 2005 This paper discusses the critical vulnerabilities and corresponding risks in a two
More informationBug Report. Date: March 19, 2011 Reporter: Chris Jarabek (cjjarabe@ucalgary.ca)
Bug Report Date: March 19, 2011 Reporter: Chris Jarabek (cjjarabe@ucalgary.ca) Software: Kimai Version: 0.9.1.1205 Website: http://www.kimai.org Description: Kimai is a web based time-tracking application.
More information(WAPT) Web Application Penetration Testing
(WAPT) Web Application Penetration Testing Module 0: Introduction 1. Introduction to the course. 2. How to get most out of the course 3. Resources you will need for the course 4. What is WAPT? Module 1:
More informationDashlane Security Whitepaper
Dashlane Security Whitepaper November 2014 Protection of User Data in Dashlane Protection of User Data in Dashlane relies on 3 separate secrets: The User Master Password Never stored locally nor remotely.
More informationLecture Notes for Advanced Web Security 2015
Lecture Notes for Advanced Web Security 2015 Part 6 Web Based Single Sign-On and Access Control Martin Hell 1 Introduction Letting users use information from one website on another website can in many
More informationRecon and Mapping Tools and Exploitation Tools in SamuraiWTF Report section Nick Robbins
Recon and Mapping Tools and Exploitation Tools in SamuraiWTF Report section Nick Robbins During initial stages of penetration testing it is essential to build a strong information foundation before you
More informationAPPLICATION SECURITY AND ITS IMPORTANCE
Table of Contents APPLICATION SECURITY AND ITS IMPORTANCE 1 ISSUES AND FIXES: 2 ISSUE: XSS VULNERABILITIES 2 ISSUE: CSRF VULNERABILITY 2 ISSUE: CROSS FRAME SCRIPTING (XSF)/CLICK JACKING 2 ISSUE: WEAK CACHE
More informationBetter PHP Security Learning from Adobe. Bill Condo @mavrck PHP Security: Adobe Hack
Better PHP Security Learning from Adobe Quickly, about me Consultant! Senior Engineer! Developer! Senior Developer! Director of Tech! Hosting Manager! Support Tech 2014: Digital Director Lunne Marketing
More informationSemantic based Web Application Firewall (SWAF V 1.6) Operations and User Manual. Document Version 1.0
Semantic based Web Application Firewall (SWAF V 1.6) Operations and User Manual Document Version 1.0 Table of Contents 1 SWAF... 4 1.1 SWAF Features... 4 2 Operations and User Manual... 7 2.1 SWAF Administrator
More informationOut of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet
Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet March 8, 2012 Stephen Kost Chief Technology Officer Integrigy Corporation Phil Reimann Director of Business Development
More informationAnnual Web Application Security Report 2011
Annual Web Application Security Report 2011 An analysis of vulnerabilities found in external Web Application Security tests conducted by NTA Monitor during 2010 Contents 1.0 Introduction... 3 2.0 Summary...
More informationNetBrain Security Guidance
NetBrain Security Guidance 1. User Authentication and Authorization 1.1. NetBrain Components NetBrain Enterprise Server includes five components: Customer License Server (CLS), Workspace Server (WSS),
More informationSecuring the SSL/TLS channel against man-in-the-middle attacks: Future technologies - HTTP Strict Transport Security and Pinning of Certs
OWASP AppSec APAC 2012 The OWASP Foundation http://www.owasp.org Securing the SSL/TLS channel against man-in-the-middle attacks: Future technologies - HTTP Strict Transport Security and Pinning of Certs
More informationSECURING SELF-SERVICE PASSWORD RESET
SECURING SELF-SERVICE PASSWORD RESET FUNCTIONALITY IN WEB APPLICATIONS David A. Shpritz July, 2010 INTRODUCTION Many web applications requiring user authentication also provide self-service password reset
More informationAdvanced OpenEdge REST/Mobile Security
Advanced OpenEdge REST/Mobile Security Securing your OpenEdge Web applications Michael Jacobs August 2013 Legal Disclaimer The contents of these materials are confidential information of Progress Software
More informationSSL BEST PRACTICES OVERVIEW
SSL BEST PRACTICES OVERVIEW THESE PROBLEMS ARE PERVASIVE 77.9% 5.2% 19.2% 42.3% 77.9% of sites are HTTP 5.2% have an incomplete chain 19.2% support weak/insecure cipher suites 42.3% support SSL 3.0 83.1%
More informationWeb Application Penetration Testing
Web Application Penetration Testing 2010 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. Will Bechtel William.Bechtel@att.com
More informationApplication Security Testing. Generic Test Strategy
Application Security Testing Generic Test Strategy Page 2 of 8 Contents 1 Introduction 3 1.1 Purpose: 3 1.2 Application Security Testing: 3 2 Audience 3 3 Test Strategy guidelines 3 3.1 Authentication
More informationAttack Vector Detail Report Atlassian
Attack Vector Detail Report Atlassian Report As Of Tuesday, March 24, 2015 Prepared By Report Description Notes cdavies@atlassian.com The Attack Vector Details report provides details of vulnerability
More information1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications
1. Introduction 2. Web Application 3. Components 4. Common Vulnerabilities 5. Improving security in Web applications 2 What does World Wide Web security mean? Webmasters=> confidence that their site won
More informationApplication Security
2009 Marty Hall Declarative Web Application Security Originals of Slides and Source Code for Examples: http://courses.coreservlets.com/course-materials/msajsp.html Customized Java EE Training: http://courses.coreservlets.com/
More information3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management
What is an? s Ten Most Critical Web Application Security Vulnerabilities Anthony LAI, CISSP, CISA Chapter Leader (Hong Kong) anthonylai@owasp.org Open Web Application Security Project http://www.owasp.org
More informationWHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6
WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL Ensuring Compliance for PCI DSS 6.5 and 6.6 CONTENTS 04 04 06 08 11 12 13 Overview Payment Card Industry Data Security Standard PCI Compliance for Web Applications
More informationNetwork Security Essentials Chapter 5
Network Security Essentials Chapter 5 Fourth Edition by William Stallings Lecture slides by Lawrie Brown Chapter 5 Transport-Level Security Use your mentality Wake up to reality From the song, "I've Got
More informationSESSION IDENTIFIER ARE FOR NOW, PASSWORDS ARE FOREVER
SESSION IDENTIFIER ARE FOR NOW, PASSWORDS ARE FOREVER XSS-BASED ABUSE OF BROWSER PASSWORD MANAGERS Ben Stock, Martin Johns, Sebastian Lekies Browser choices Full disclosure: Ben was an intern with Microsoft
More information